Proof Key of Code Exchange (PKCE)
Proof Key for Code Exchange (PKCE) is an OAuth 2.0 security extension that strengthens the authorization code flow, ensuring the client app that starts the authentication is the same that finishes it.
PKCE was originally designed for public clients (such as mobile and single-page apps) that can't securely store client secrets. Now, PKCE is recommended for all OAuth clients due to its strong protection against attacks like authorization code interception and CSRF.
PKCE enhances the standard OAuth 2.0 authorization code grant flow by adding a verification step that binds the authorization code to the client that requested it, preventing attackers who might intercept the code from exchanging it for tokens.
How PKCE Works
-
Client creates a secret–Code Verifier
Before starting the OAuth flow, the client generates a high-entropy random string called the code verifier.
-
Client derives a Code Challenge
The client applies a transformation (typically SHA-256 hash) to the code verifier to produce a code challenge.
-
Authorization request with Code Challenge
The client initiates the authorization request to the authorization server, including the code challenge and the method used (e.g., "S256").
-
User authenticates and authorizes
The usual OAuth interaction happens; the user grants access.
-
Authorization server returns Authorization Code
After successful authorization, the server sends an authorization code to the client via redirect.
-
Token request with Code Verifier
When redeeming the authorization code for tokens, the client sends the original code verifier.
-
Authorization server verifies
The server compares the code verifier against the initially received code challenge to confirm they match, ensuring the token request is from the same client that initiated the flow.
Benefits of PKCE
-
Mitigates authorization code interception attacks.
Even if an attacker captures the authorization code, they cannot redeem it without the original code verifier.
-
Protects public clients who cannot store client secrets.
Since public clients lack a confidential secret, PKCE adds a critical security layer.
-
Prevents CSRF attacks
It binds the authorization request and token exchange together, reducing the risk of forged requests.
PKCE is essential for mobile apps, single-page apps, and other public clients that cannot securely manage client secrets. However, given its security benefits, it is now recommended for all OAuth clients, including confidential clients, to prevent code interception and injection attacks.
PKCE: Summary Table
| Aspect | Description |
|---|---|
| What it is | OAuth 2.0 extension to secure authorization code flow |
| Main mechanism | Client generates code verifier and sends code challenge to server, which validates it during token exchange |
| Prevents | Authorization code interception and CSRF attacks |
| Clients that benefit | Public clients (mobile, SPAs), also recommended for confidential |
| OAuth version | Mandatory in OAuth 2.1, recommended before that |
| Core security benefit | Confirms that the client redeeming the authorization code is the same that initiated the request |
In essence, PKCE adds a cryptographic proof step binding the authorization code request and token exchange, significantly improving OAuth flow security by preventing attackers from stealing and using authorization codes fraudulently.
